diff --git a/PKGBUILD b/PKGBUILD index 1078e2a..5f580ee 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -32,12 +32,15 @@ _srctag=v${pkgver%.*}-${pkgver##*.} source=( https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/${_srcname}.tar.xz config # the main kernel config file + defaultmaxASLR.patch ) # https://www.kernel.org/pub/linux/kernel/v6.x/sha256sums.asc sha256sums=('2be05b487eb239a3bf687d628a8f104177d09c310f00bcc2a5e50f1733421eb9' - '254c531c49080ffb399a6246537a9c7b65718acdf1515b72f3570d23aa0a4fe6') + '254c531c49080ffb399a6246537a9c7b65718acdf1515b72f3570d23aa0a4fe6' + '9f29efd7acf37d8e3015029216865fb590362d9589feb91dc84e68fee6dabff0') b2sums=('a228397902894f566d49adef24e4d44271893173cf0c58e8eb6006137dfb870b5f3aea17cadc775988a0682ba4a5261ebd3f10689b6c096f762cc8af666c56ff' - 'ea46d444dcbec8d6edc761b84ee047b72d9d9d65802902c8fc01f0cef55adf4f16c35834c2c8c01ccb20b249efa8054f20ce851c7eb6cfd2eb2ee90ee8bf6ad5') + 'ea46d444dcbec8d6edc761b84ee047b72d9d9d65802902c8fc01f0cef55adf4f16c35834c2c8c01ccb20b249efa8054f20ce851c7eb6cfd2eb2ee90ee8bf6ad5' + '30f9ecc8011b67e89166a01cf15c6994ba72cb7277cf8cce3461db66c3f0dfa77f396976dc82b6b78c723845282ea721a07a8fb1f3baff43dbf46bee10940b1a') export KBUILD_BUILD_HOST=archlinux export KBUILD_BUILD_USER=$pkgbase diff --git a/README.md b/README.md index bb14d20..ad73e46 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,16 @@ -patches folder contains all the patches. files shipped are already prepatched +My personal custom kernel -patch order: +defaultmaxASLR.patch - increase security + + +patches folder contains all the config patches. config shipped are already prepatched + +config patch order: 1. waydroid.patch 2. security.patch -sources: +config sources: - waydroid.patch: https://wiki.archlinux.org/title/Waydroid - security.patch: selected from https://www.kicksecure.com/wiki/Hardened-kernel \ No newline at end of file diff --git a/defaultmaxASLR.patch b/defaultmaxASLR.patch new file mode 100644 index 0000000..ff608f5 --- /dev/null +++ b/defaultmaxASLR.patch @@ -0,0 +1,33 @@ +From db70c38e74c8850174dcc09b302c41543583c980 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" +Date: Sat, 13 Jan 2024 15:29:25 +0100 +Subject: [PATCH] arch/Kconfig: Default to maximum amount of ASLR bits + +To mitigate https://zolutal.github.io/aslrnt/; do this with a patch to +avoid having to enable `CONFIG_EXPERT`. +--- + arch/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/Kconfig b/arch/Kconfig +index 30f7930275d838..318a4e75058b3b 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -1033,7 +1033,7 @@ config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT +- default ARCH_MMAP_RND_BITS_MIN ++ default ARCH_MMAP_RND_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_BITS + help + This value can be used to select the number of bits to use to +@@ -1067,7 +1067,7 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT +- default ARCH_MMAP_RND_COMPAT_BITS_MIN ++ default ARCH_MMAP_RND_COMPAT_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help + This value can be used to select the number of bits to use to